What is a Pwn Request in the context of response headers?

In bug bounty hunting, response header analysis is passive reconnaissance — you send an HTTP request and read what the server tells you back. Modern web applications often leak significant infrastructure information in response headers: internal service names via x-middleware-rewrite (Next.js), backend technology via x-powered-by or server, internal network topology via via or x-forwarded-server, Kubernetes namespace information via x-envoy-upstream-service-time, and internal hostname patterns like *.svc or *.internal in proxy chain headers. These leaks require no active scanning, trigger no WAF rules, and are often overlooked because developers focus on application logic rather than what their infrastructure reveals in every HTTP response.

How does Cloudflare affect bug bounty hunting?

Cloudflare acts as a reverse proxy and WAF (Web Application Firewall) in front of roughly 60% of high-value bug bounty targets. Its impact on automated scanning is significant: aggressive path enumeration tools like gobuster and ffuf will be rate-limited or blocked; Nuclei templates at scale will trigger WAF rules and get source IPs blocked; active probing that generates high request volume is effectively impractical at production targets. The practical response is a passive-first methodology: prioritise Certificate Transparency logs for subdomain discovery, JavaScript bundle analysis for endpoint and secret extraction, response header analysis for infrastructure mapping, GitHub organisation search for code and configuration leaks, and cross-asset correlation. None of these trigger Cloudflare because they either don't send HTTP requests to the target at all (CT logs, GitHub) or send minimal, low-frequency requests that look like normal browser traffic (header analysis, JS bundle fetch).

What is the pull_request_target attack and why is it still exploited in 2026?

The pull_request_target trigger in GitHub Actions runs workflows in the context of the target repository — with access to the repository's secrets and a privileged GITHUB_TOKEN — even when triggered by a pull request from a fork. This is intentional design: it allows maintainers to write to PR comments and labels from workflows triggered by external contributors. The vulnerability arises when a workflow using pull_request_target also executes code from the fork — particularly when it references github.event.pull_request.head.ref (the PR branch name, which the fork author controls) in a shell run step. The branch name becomes a shell injection vector. GitHub Security Lab documented this in 2021. It remains actively exploited in 2026 because: (1) the pull_request_target documentation does not prominently flag the security implications; (2) developers copy workflow patterns without understanding the trust boundary difference from pull_request; (3) many popular CI/CD workflow templates use the trigger for legitimate reasons and developers extend them without recognising the risk.

What is the SSRF (Server-Side Request Forgery) attack chain from infrastructure leaks?

Infrastructure leaks — particularly internal service names found in HTTP response headers — create a natural attack chain toward Server-Side Request Forgery. The chain: (1) Header analysis reveals x-middleware-rewrite: http://core-int-unicorn.core.svc/ — an internal Kubernetes service hostname. (2) The attacker identifies URL parameters on the target's endpoints that accept external URLs: ?url=, ?src=, ?redirect=, ?callback=, ?proxy=. (3) The internal hostname is used as the SSRF payload: ?url=http://core-int-unicorn.core.svc/. (4) If the application makes an outbound request to the attacker-supplied URL without validation, the internal service receives the request — potentially exposing admin interfaces, internal APIs, cloud metadata (169.254.169.254), or other services on the internal network that are not exposed to the internet. SSRF findings that reach cloud metadata endpoints (AWS IMDSv1, GCP metadata API) can yield IAM credentials with significant permissions, making them P1 findings on most bug bounty programs.

Why do bug bounty programs require both subfinder and httpx for subdomain enumeration?

Subfinder is a passive subdomain enumeration tool — it queries Certificate Transparency logs, DNS passive repositories, public APIs (Shodan, VirusTotal, Censys), and other data sources to discover subdomains without sending requests to the target. httpx is an HTTP probing tool — it takes a list of hostnames and sends HTTP/HTTPS requests to each one to determine which are live (returning HTTP 200/301/etc. rather than connection refused or NXDOMAIN). Together, they form the standard recon pipeline: subfinder discovers what subdomains exist, httpx confirms which ones are live and fetchable. Running subfinder alone gives you a list of subdomains that may include decommissioned hosts. Running httpx alone requires a prior subdomain list. The combination, typically piped as subfinder -d target.com | httpx -status-code -title, is the de facto standard opening step for web application bug bounty hunting because it maps the live attack surface in minutes without active scanning.

SecurityClaw Hunted Vinted on Intigriti — and Found 10 Gaps in Itself

March 31, 2026 · SecurityClaw Phase D · Bug Bounty · Live Hunt

A 45-minute live hunt against Vinted on Intigriti produced four findings and a candid post-mortem: SecurityClaw found things, but it found them despite its tooling, not because of it. The best finding — VIN-001, an internal Kubernetes hostname leak via HTTP response headers — was found by running curl -I against the homepage. The campaign engine had no skill to do that automatically. That's the gap. Phase D exists to close it.

The Hunt: Vinted, 45 Minutes, Cloudflare Everywhere

Field	Value
Target	Vinted (`vinted-bugbountyprogram` on Intigriti)
Scope	`.vinted.com`, `.vinted.fr`, `.vinted.net`, `.vintedgo.com`
WAF	Cloudflare (all main properties)
Hunt duration	~45 minutes active
Findings	4 (1 MEDIUM submittable, 1 LOW, 2 informational)
Tools that worked	Manual curl, CT logs (partial), GitHub API
Tools missing	subfinder, httpx, nuclei, gitleaks, trufflehog
Primary finding method	Manual response header inspection

Vinted is one of Europe's largest second-hand fashion platforms — 65 million users, listed on Intigriti with a scope spanning four TLD wildcards. It runs Cloudflare on every main property, which immediately changed the rules for SecurityClaw's standard tool stack.

The hunt was not intended as a showcase. It was a capability validation run: spin up SecurityClaw's Phase C stack against a real production target with a real bug bounty program, and see what breaks. The answer: almost everything that matters.

VIN-001 (MEDIUM): The Kubernetes Hostname Nobody Was Looking For

The most interesting finding from the entire hunt was found in 30 seconds with a one-line command:

curl -sI https://www.vinted.com | grep -i "x-middleware"

x-middleware-rewrite: http://core-int-unicorn.core.svc/

That response header — x-middleware-rewrite — is a Next.js middleware header. It reveals the internal service name that the middleware is proxying requests to: core-int-unicorn.core.svc. The .svc suffix is a Kubernetes DNS pattern — it's the name of an internal Kubernetes service in the core namespace. This is a production infrastructure leak served to every visitor to www.vinted.com on every request.

The finding (VIN-001) is MEDIUM severity on its own. Internal service names in Cloudflare-protected targets have limited direct exploitability — Cloudflare's WAF will block most attempts to reach the internal service directly. But the finding has meaningful chaining value: if any Vinted endpoint accepts a URL parameter without validation (a common pattern in redirects, image proxies, webhook callbacks), that parameter could be pointed at core-int-unicorn.core.svc via SSRF. An SSRF chain reaching a Kubernetes internal service is typically rated HIGH or CRITICAL — it can access cloud metadata endpoints, internal admin APIs, and services that assume all callers are trusted internal infrastructure.

The same header pattern appeared on www.vinted.fr, suggesting the leak is consistent across TLDs — which is what you'd expect from a shared Next.js middleware layer.

The critical point for SecurityClaw's development roadmap: this finding required no automated tooling. It required reading HTTP response headers. The campaign engine, after Phase A + Phase B + Phase C development, had no skill that does this. VIN-001 would have been missed entirely in any automated SecurityClaw run against Vinted.

VIN-002 (LOW): MISP Instance on a Public Subdomain

CT log enumeration against *.vinted.net surfaced misp.vinted.net. Fetching the root URL returned a page titled "Users - Vinted MISP" — a live MISP (Malware Information Sharing Platform) instance accessible from the public internet. MISP is the threat intelligence platform used by security teams to track indicators of compromise, malware samples, and attack campaigns. An exposed MISP instance reveals the platform's threat intelligence posture and, if insufficiently hardened, may expose intelligence data, user accounts, or API endpoints.

The severity was rated LOW because MISP's login page was enforced — this wasn't an unauthenticated access finding. The exposure concern is the presence of the platform on a publicly resolvable subdomain rather than on an internal network. The finding is informational for the asset inventory: security teams are sometimes unaware that internal tooling is DNS-resolvable from the internet.

A second interesting subdomain found: scim.vinted.net. SCIM (System for Cross-domain Identity Management) is typically used for enterprise identity provisioning — connecting HR systems, SSO platforms, or identity providers to application user directories. An exposed SCIM endpoint without authentication can be used to enumerate, create, or modify user accounts. Authentication was enforced; severity was informational.

VIN-003 (INFORMATIONAL): Google Maps API Key — Referer-Restricted

A Google Maps API key (AIzaSyDQUtyPkhD9gSdtfaJ2xUfH9UCgfw132u4) was found in the source of labels.vintedgo.com. Validating it required testing across the full Google Maps API surface:

API	Result
Maps JavaScript (browser)	✅ Works (with valid referer)
Geocoding API (server-side)	❌ REQUEST_DENIED
Static Maps	❌ REQUEST_DENIED
Directions API	❌ REQUEST_DENIED
Places API	❌ REQUEST_DENIED

The key is referer-restricted: it works only from browser requests originating at labels.vintedgo.com, not from server-side API calls. This is the correct configuration for a Maps JavaScript key — it's designed to be embedded in frontend code where the browser provides the HTTP referer. An attacker can't use this key to make unlimited Geocoding requests or access billing-enabled APIs. Severity: LOW/informational.

This finding illustrates why API key severity depends entirely on scope. The same AIzaSy... key pattern would be CRITICAL if it granted unrestricted access to Places API (which can generate significant billing charges) or HIGH if it allowed server-side geocoding without referer restrictions. The REQUEST_DENIED from server-side calls is the correct answer — and the only way to get that answer is to test it, not to report the key based on pattern alone.

What Broke: The Phase D Gap Inventory

The Vinted hunt produced a structured capability gap analysis — ten gaps identified, prioritised, and turned into Phase D implementation specs. Here's what the hunt exposed:

GAP-001 (P1): No Response Header Analysis Skill

VIN-001 was found by running curl -I. The campaign engine has no skill that systematically collects and analyses response headers across a target's assets. This is not an edge case — headers that leak infrastructure information appear on virtually every modern web application:

x-middleware-rewrite — Next.js middleware proxy target (Kubernetes service names)
x-powered-by — application framework and version
server — web server identity
via / x-forwarded-server — proxy chain topology
x-envoy-upstream-service-time — Envoy/Istio service mesh timing (confirms service mesh presence)
x-amzn-requestid — AWS Lambda or API Gateway backing

Without a HeaderAnalysisSkill, SecurityClaw walks past this entire finding class on every target. A 30-second manual check found VIN-001. The skill fix is two to three days of implementation.

GAP-002 (P1): No Multi-TLD Scope Manager

Vinted has four wildcard TLDs. misp.vinted.net and scim.vinted.net — both interesting findings — were under the .net TLD. A campaign pointed only at vinted.com would have missed them entirely. The engine currently accepts one target string per run.

In real bug bounty programs, approximately 40% of interesting assets are on secondary TLDs. Uphold, DigitalOcean, and Vinted all have multi-domain scopes. Without a ProgramScopeManager that maps a program handle to all in-scope roots and runs enumeration against all of them in parallel, every multi-TLD program is only partially hunted.

GAP-003 (P1): No Passive Recon Toolchain

subfinder, httpx, nuclei, gitleaks, and trufflehog are all referenced in SecurityClaw's skills. None of them were installed in the execution environment during the Vinted hunt. The skills invoked tool binaries that didn't exist and silently returned no results — no error, no warning, just empty output. The entire active recon phase fell back to manual curl.

This is a silent failure mode that produces false negatives with no indication anything went wrong. A ToolAvailabilityMonitor at campaign start would surface "subfinder not installed — subdomain enumeration will be limited to CT logs" rather than allowing skills to silently return empty. Fix: a startup check, clear warnings, and an install-tools.sh script for the full toolchain.

GAP-004 (P1): No Cloudflare-Aware Scanning Strategy

The engine has no awareness of Cloudflare. It treats all targets identically — which means aggressive tools (gobuster, ffuf, nuclei at scale) run against CF-protected targets until they're blocked. Roughly 60% of high-value bug bounty targets are Cloudflare-protected. This is not an edge case; it's the majority case.

The fix is a WAFDetectionSkill that identifies Cloudflare presence (cf-ray header, ASN 13335, server: cloudflare) and switches the campaign to passive-first mode: prioritise CT logs, JS bundle analysis, header analysis, and GitHub org search; rate-limit active tools to under 10 req/s; skip aggressive path brute-force. The Vinted hunt demonstrated the passive-first approach is viable — VIN-001 (the best finding) required zero active scanning.

GAP-005 (P2): No Sensitive Service Fingerprinting

misp.vinted.net was identified as MISP by recognising the page title "Users - Vinted MISP." There's no skill that checks discovered subdomains against a fingerprint database of sensitive services — MISP, Grafana, Kibana, Jupyter, Sentry, GitLab, Jira, HashiCorp Vault, Kubernetes dashboard, Argo CD, Jenkins, and 20+ others. These consistently yield high-value bug bounty findings when found with weak authentication or default credentials. The fingerprint library is reusable across every future target.

GAP-006 (P2): No API Key Scope Validator

The Google Maps API key validation (VIN-003) required manually testing five different API endpoints with varying referer headers. There's no skill that automates this. Multi-provider API key validation — Google Maps, Stripe, Twilio, SendGrid, AWS, Mapbox, Algolia — is the difference between reporting a key as LOW (referer-restricted) vs. HIGH (unrestricted server-side access) vs. CRITICAL (billing-enabled APIs accessible). Without automated validation, keys are either over-reported (wasted submission, program trust cost) or under-reported (missed HIGH finding).

GAP-007 (P2): No Mobile App Analysis

Vinted's iOS and Android apps are in scope. Neither was analysed. Mobile apps consistently yield higher-severity findings than web recon — developers treat them as client-side code and embed API keys, internal endpoint URLs, OAuth secrets, and feature flags that would never appear in a web page. APK decompilation with jadx, manifest analysis, and running trufflehog against decompiled source is a known-high-yield workflow with no current equivalent in SecurityClaw's skill set.

GAP-008 (P2): No SSRF Chain Automation

VIN-001 revealed core-int-unicorn.core.svc as an internal service. The obvious next hypothesis: does any Vinted endpoint accept a URL parameter that could reach this service via SSRF? That reasoning was done manually. The campaign engine has no chain rule that fires when InternalHostnameLeak is found: "scan for SSRF vector parameters, test with internal hostname as payload." This is the difference between finding an infrastructure leak and chaining it into a potential P1 finding.

GAP-009 (P3): No Intigriti Scope Auto-Pull

Vinted's scope was known from a prior program scorer run. For a live hunt, scope changes matter — programs add and remove assets, modify RoE, and sometimes disable automated scanning entirely (as happened with CM.com in an earlier campaign). A pre-hunt scope refresh against the Intigriti API would surface new assets added since the last run and block campaigns if the program has changed its automated scanner policy.

GAP-010 (P3): No Cross-Asset Correlation

core-int-unicorn.core.svc appeared in headers on both www.vinted.com and www.vinted.fr. The x-next-app: marketplace-web header appeared on the same two properties. JS bundles were served from marketplace-web-assets.vinted.com. Together, these signals reveal that vinted.com and vinted.fr are the same Next.js application deployment — meaning findings on one likely apply to the other, and IDOR vulnerabilities found on one property should be tested against both. Without cross-asset correlation, the engine treats each asset independently and misses these architectural insights.

Phase D: Passive-First, Header-Aware, CF-Resilient

The Vinted hunt produced a Phase D roadmap with three implementation sprints:

Phase	Gaps	Theme
D1 (current sprint)	GAP-001, 002, 003, 004, 009	Passive-first infrastructure: header analysis, tool health, scope management, Cloudflare awareness
D2 (next sprint)	GAP-005, 006, 007, 008	High-value finding classes: service fingerprinting, API key validation, mobile analysis, SSRF chaining
D3 (future)	GAP-010	Intelligence synthesis: cross-asset correlation, architectural mapping

On 2026-03-30, the D1 implementation was validated in a Phase D rerun against Vinted. All eight Phase D skills were registered in the SKILL_REGISTRY. All six gap validation checks passed:

✅ GAP-011: All 8 Phase D skills present in SKILL_REGISTRY
✅ GAP-005: WAF_DETECTED → JS bundle analyzer chain rule
✅ GAP-005: SUBDOMAIN_FOUND → WAF detection trigger
✅ GAP-002: All 9 Phase D FindingType entries present (including ProxyChainLeak → INFRASTRUCTURE_LEAK)
✅ GAP-002: TechStackFingerprint / CloudProviderLeak / ProxyChainLeak no longer map to CERT_FOUND
✅ GAP-004: Multi-path scan covering /items, /members/1 (9 paths total)

The rerun completed in 12.16 seconds against Vinted's live infrastructure: 9 skills executed, 46 findings (WAF_DETECTED + INTERNAL_HOSTNAME_LEAK across www.vinted.com, api.vinted.com, www.vinted.fr), three chain rules fired (ssrf-hypothesis, cross-asset-correlator, cf-aware-scan-strategy). One gap remained: VIN-001 (the original internal hostname finding) was not detected — Vinted may have patched the header or the endpoint changed.

One noted caveat: if Vinted patched x-middleware-rewrite after VIN-001 was submitted, that's the correct outcome. Bug bounty programs fix findings, and fixed findings don't appear in subsequent scans. The VIN-001 path changing is not a gap validation failure — it's confirmation that the finding was real enough to patch.

The Passive-First Principle

The Vinted hunt crystallised something that applies across all modern bug bounty targets, not just Cloudflare-protected ones: the highest-value findings often come from reading what the server is already telling you, not from asking it questions it wasn't expecting.

VIN-001 — the best finding from 45 minutes of hunting — required sending one HTTP HEAD request and reading the response. No active scanning. No brute-force. No WAF triggers. The server volunteered a Kubernetes internal service name in a header that has been present on every page load since whenever the Next.js middleware was deployed.

The same principle applies across the Phase D gap inventory. CT logs expose the subdomain history of a target without sending a single packet to the target. GitHub organisation search exposes code, configuration, and secrets without touching the production infrastructure. JS bundle analysis extracts API endpoints, internal service references, and hardcoded credentials from files the server intentionally serves. Header analysis catalogues infrastructure leaks that production servers broadcast on every request.

Cloudflare doesn't block any of this. WAFs block requests that look like attacks. Reading what the server already tells you doesn't look like an attack — because it isn't one.

Phase D's north star: a SecurityClaw campaign against a Cloudflare-protected target should produce high-quality findings before a single active probe fires. The passive layer — headers, CT logs, JS bundles, GitHub — should be exhausted first. Only then, with WAF-aware rate limiting, should active scanning begin. That's the difference between a tool that gets blocked and a platform that hunts.

What This Means for Bug Hunters

The Vinted hunt is useful beyond the SecurityClaw roadmap story. It's a practical illustration of what a passive-first methodology looks like against a production Cloudflare target, and what finding classes it surfaces.

On response header analysis: Run curl -sI [target] | less at the start of every hunt before touching any automated tools. Next.js headers (x-middleware-rewrite, x-next-app), Kubernetes service names (any header containing .svc or .internal), Envoy timing headers, and cloud provider headers (x-amzn-requestid, x-cloud-trace-context) are all information the server is already publishing. It takes 30 seconds and has no WAF footprint.

On multi-TLD scope: Check every TLD in the program scope. Run CT log lookups against all of them. Secondary TLDs (.net, .fr, .co.uk) often host internal tooling — monitoring, identity management, staging environments — that was never intended to be publicly accessible and has received less security scrutiny than the primary domain.

On API key validation: Never report an API key without testing it. The difference between a LOW finding and a HIGH finding is one API call — and submitting a referer-restricted Maps key as a HIGH severity finding erodes program trust and wastes everyone's time. Test. Document what you tested. Report what the key can actually do.

For the foundational methodology, the standard reference on modern penetration testing remains The Web Application Hacker's Handbook — covering the full attack surface systematically. For bug bounty-specific methodology, Real-World Bug Hunting by Peter Yaworski is the practical guide to turning vulnerability classes into submitted reports. For infrastructure and cloud attack surfaces — where header leaks like VIN-001 connect to higher-severity chains — the Hacking the Cloud reference covers AWS metadata, SSRF chains, and IAM privilege escalation in depth.

What's Next

The Phase D D1 sprint is underway. HeaderAnalysisSkill, ProgramScopeManager, ToolAvailabilityMonitor, WAFDetectionSkill, and IntigritiScopePuller are the five immediate deliverables. The validation rerun against Vinted confirmed the core engine changes are in place; the remaining work is skill-level implementation and integration.

When Phase D D1 ships, a SecurityClaw campaign against Vinted will automatically: analyse response headers across all four TLD scopes in parallel, detect Cloudflare and switch to passive-first mode, enumerate subdomains across all four wildcard TLDs, confirm tool availability before skill execution, and pull fresh scope from Intigriti at campaign start. VIN-001 will go from "found manually in 30 seconds" to "found automatically in the first 30 seconds of every run."

That's what Phase D is for.